aws-delivlib
Version:
A fabulous library for defining continuous pipelines for building, testing and releasing code libraries.
99 lines (98 loc) • 4.14 kB
TypeScript
import { aws_iam as iam, aws_kms as kms, aws_s3 as s3, aws_secretsmanager as secretsManager, aws_ssm as ssm } from 'aws-cdk-lib';
import { Construct, IConstruct } from 'constructs';
import { DistinguishedName } from './certificate-signing-request';
import { ICredentialPair } from '../credential-pair';
export { DistinguishedName } from './certificate-signing-request';
interface CodeSigningCertificateProps {
/**
* The number of bits to compose the modulus of the generated private key for this certificate.
*
* @default 2048
*/
rsaKeySize?: number;
/**
* The KMS CMK to use for encrypting the Private Key secret.
* @default A new KMS key will be allocated for you
*/
secretEncryptionKey?: kms.IKey;
/**
* The PEM-encoded certificate that was signed by the relevant authority.
*
* @default If a certificate is not provided, a self-signed certificate will
* be generated and a CSR (certificate signing request) will by available in
* the stack output.
*/
pemCertificate?: string;
/**
* Whether a CSR should be generated, even if the certificate is provided.
* This can be useful if one wants to renew a certificate that is close to
* expiry without generating a new private key (for example, to avoid breaking
* clients that make use of certificate pinning).
*
* @default false
*/
forceCertificateSigningRequest?: boolean;
/**
* When enabled, the Private Key secret will have a DeletionPolicy of
* "RETAIN", making sure the Private Key is not inadvertently destroyed.
*
* @default true
*/
retainPrivateKey?: boolean;
/**
* The Distinguished Name for this CSR.
*/
distinguishedName: DistinguishedName;
/**
* Base names for the private key and output SSM parameter
*
* @default - Automatically generated
*/
readonly baseName?: string;
}
export interface ICodeSigningCertificate extends IConstruct, ICredentialPair {
/**
* The S3 bucket where the self-signed certificate is stored.
*/
readonly certificateBucket?: s3.IBucket;
/**
* Grant the IAM principal permissions to read the private key and
* certificate.
*/
grantDecrypt(principal?: iam.IPrincipal): void;
}
/**
* A Code-Signing certificate, that will use a private key that is generated by a Lambda function. The Certificate will
* not be usable until the ``pemCertificate`` value has been provided. A typical workflow to use this Construct would be:
*
* 1. Add an instance of the construct to your app, without providing the ``pemCertificate`` property
* 2. Deploy the stack to provision a Private Key and obtain the CSR (you can surface it using a Output, for example)
* 3. Submit the CSR to your Certificate Authority of choice.
* 4. Populate the ``pemCertificate`` property with the PEM-encoded certificate provided by your CA of coice.
* 5. Re-deploy the stack so make the certificate usable
*
* In order to renew the certificate, if you do not wish to retain the same private key (your clients do not rely on
* public key pinning), simply add a new instance of the construct to your app and follow the process listed above. If
* you wish to retain the private key, you can set ``forceCertificateSigningRequest`` to ``true`` in order to obtain a
* new CSR document.
*/
export declare class CodeSigningCertificate extends Construct implements ICodeSigningCertificate {
/**
* The AWS Secrets Manager secret that holds the private key for this CSC
*/
readonly credential: secretsManager.ISecret;
/**
* The AWS SSM Parameter that holds the certificate for this CSC.
*/
readonly principal: ssm.IStringParameter;
/**
* The S3 bucket where the self-signed certificate is stored.
*/
readonly certificateBucket?: s3.IBucket;
constructor(parent: Construct, id: string, props: CodeSigningCertificateProps);
/**
* Grant the IAM principal permissions to read the private key and
* certificate.
*/
grantDecrypt(principal?: iam.IPrincipal): void;
}